[gptalk] Re: Help Me! Prevent Users to install software on their computers.

  • From: "DinhDuy" <dinhduy@xxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 13 Feb 2007 19:45:21 +0700

Yes, I've just deployed my users with the users group but I have a question.
How can I enable Sharing and Security function for my users? With the users
group, user can't use sharing and security in context menu and printer
sharing as well.


-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of MacLeonard
Sent: Tuesday, February 13, 2007 10:15 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Help Me! Prevent Users to install software on their
computers.

Hi DinhDuy,  and all

> - I deploy Power Users rights to all users in my Domain.
>
> - After deploying, everyone can setup software on their computer, so I
want
> to prevent this action. How can I do that?

Here's the best solution to this problem (flame sheilds up):

              1. Prevent your users from running as power users.

Giving a user power user rights on a desktop is akin to giving them
administrator privileges.

Here's how this kind of thing typically plays out:

1. You give your users Power User rights.
2. You want to lock down a specific aspect (such as installing software)
3. You invest large amounts of time/money obtaining a "solution" and
making it "work"
4. Your users find some (not very difficult) way around this "solution"
5. Repeat steps 3 and 4 ad infinitum.

Take the time to work out how enable your users to work as members of
the users group, and you'll save a significant amount of time in the
long run.

You *could* always enable software restriction policies make the
default policy "disallowed" and then enable access to *only* those
apps you need to run, but your users will likely work out that they
can get around this with admin rights in short order - and the process
is quite tedious and very very difficult.

Option 1 is undoubtedly the way to go on this.

-- 
MacLeonard Starkey
CISSP, MCSA
Email: winsec@xxxxxxxxx
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: